January 24, 2013

Why Changing a Password Every Month Is Dangerous

Nothing is more annoying than to be required to change your password on a very regular basis. This type of logic harkens back to
the days when all of our user ID password information was stored on UNIX
systems in a plain text file. Today, we have a better understanding of exactly
how passwords can remain secure. It is now known that this old adage of
continually making updated changes on our passwords tends to decrease the level
of security for a variety of reasons.

These reasons include:

The Human
Condition – When individuals are forced to make changes to their password,
they tend to develop ineffective or lousy passwords that are based on how easy
the word or phrase is to remember.

The
Predictability – Being forced to perform some security-related tasks on a
predictable, regular basis every month or quarter provides the perfect gift to
a hacker, attacker or cyber-criminal.

The Path of Least Resistance

Users are rarely intentionally lazy. However, most users will not give a second thought to adhering to the absolute minimum password standards. After all, why spend five or ten minutes constructing a password that they'll only get to keep for 30 days. The results are creations like p@ssw0rd01, then p@ssw0rd02. If someone cracks a password like "p@ssw0rd09" in the month of September, I'm pretty sure they'll have October's password too.

Hackers like
Predictability

Predictability is known to be a gift to a cyber-criminal. They
base their entire account hacking strategies around the understanding of human
predictability. Hackers know that in time the user will grow tired of always
having to change his or her password, and will fall back onto the simplicity of some kind of pattern. Also, the more passwords a user has to create, the more likely they are to use words they shouldn't like "dragon", "12345", or "michael". Malicious users will also learn their window to act upon stolen credentials, if they can figure out when they were last changed.

Solutions

When it comes down to it, there doesn't seem to be a "perfect" solution here. We usually recommend a middle ground for most average security-level passwords. Allow the users to keep their passwords longer, but require a much higher standard for them. Instead of having a six or eight character minimum password that must be changed monthly, perhaps give them 90 days, but require an extra four characters in exchange.

If increasing password length is simply not an option, it could be time to look at deploying a two-factor authentication system. Our friends over at Yubico have developed a piece of hardware that brings two factor authentication down to one button press.